Posted
by
kdawson
on Friday November 13, 2009 @09:51AM
from the uac-plus-plus dept.

Reader whencanistop writes with some details on an upcoming EU law that slipped under the radar as it was part of the package containing the "three strikes" provision, which attracted all the attention and criticism. "A couple of weeks ago we discussed the EU cookie proposal, which has now been passed into law. While the original story broke on the Out-law blog from a law perspective ('so breathtakingly stupid that the normally law-abiding business may be tempted to bend the rules to breaking point'), there has now been followup from a couple of industry insiders. Aurelie Pols of the Web Analytics Association has blogged on how this will affect websites that want to monitor what people are looking at on their sites, while eConsultancy has blogged on how this will impact the affiliate industry. In all of this the general public is being ignored — the people who, if the law is actually implemented, will have to proceed through ridiculous screens of text every time they access a website. I know most of you guys hate cookies in general, but they are vital for websites to know how people are accessing the sites so they can work out how to improve the experience for the user."

I've seen examples where third parties require cookies to analyze the usage patterns of users on client sites but I don't require logs to understand usage trends on sites where I have easy access to log files. In fact, I think usability testing would reveal more than analysis of usage data.

I've seen examples where third parties require cookies to analyze the usage patterns of users on client sites but I don't require logs to understand usage trends on sites where I have easy access to log files. In fact, I think usability testing would reveal more than analysis of usage data.

No way.Usage data is a direct measure, while user tests are a very rough estimate.Tracking usage is key if you want to have a website that is good for its users.

Well, only if you care even remotely about having some level of security. Surely you've run into a website (typically a forum) that has a ?sessid=2387498798ad87c2eea92 querystring. It's hideous and stupid, but technically you CAN use cookie-less sessions (see: php: session.use-cookies [php.net]).

Usability testing doesn't tell you how customers are actually using your site under normal conditions as part of their daily workflow; it tells you how testers hypothetically could use your site under laboratory conditions. You can certainly get useful feedback from usability testing, but to borrow a phrase, people do breathtakingly stupid things in the wild that nobody would have dreamed of during testing.

So do you actually have any evidence to back up your doomsaying, or is it just your personal view that you'd like to shove down everyone else's throat?

We don't use cookies on the sites I run, yet I still have a pretty good idea of what our users do, because we have these things called server logs. They include something called a referrer field, which tells you where the visitor came from before they reached their current page, for example. Moreover, for more detailed analysis, it is far more valuable for site improvement to have a little JavaScript that can also identify things like screen resolutions and browser versions, which give us information that is directly useful to checking that our pages will look good on the systems our visitors are actually using. Cookies won't tell you any of that.

We are contemplating using cookies for a new system on one of our sites, because it will allow users to create an account and then filter data shown on various pages according to their personal preferences. All the cookie will do is remember whether the user has logged in, and if so, who they are, for the duration of their visit. And we're only doing that because the site will work fine without an account, so we don't want to throw up HTTP Authentication screens for every visitor. We would have no problem disclosing this fully to any visitor to our site at the time they create an account.

Not that this is the purpose of cookies - but how do you differentiate between real people and robots/spiders?

More importantly how do you tell, from your server logs, how many of your users who arrived from a certain referring source stayed on the site? Do you know what they did afterwards? Do you know if they then went and performed the function your site is aimed at? Do you know if they came back at a future date to do it? Can you do any of these things without cookies?

I mentioned the referrer point merely because it completely debunks the specific argument you made in your previous post: "Most sites have 60%+ visits coming from Google in the middle of the site, to do any usability testing they need to know where they arrived to focus that usability."

You seem to have ignored the fact that I also mentioned using JavaScript for more detailed analysis.

If you need to follow specific users around your site, you can do this without cookies by adding a suitable GET/POST field on

You don't need cookies to do usability testing - you can track mouse movements and keypresses in real time with javascript and log them to the server. Most of us would rightfully consider that level of intrusiveness as spyware.

Cookies are used to keep a shopping cart. That out-law.com article spells that out. Cookies are used to track logins on forum sites. There might be an implied consent, there. But to be sure, just ask for consent when users register. Previously registered users would be directed to the consent request page once the next time they try to login. Explain that the consent is for the cookie used keep their login state. Explain that without consent, the login process cannot be completed and the user would be limited to the access level of a non-logged-in user.

Now, what else are cookies used for, that consent should not need to be given for?

I know this isn't going to be looked on well here, but here are my pro cookie, pro marketing comments...

1. Someone above complained about companies selling the data that they collect. As though it's the most terrible thing in the world to do. Guess what, every company that collects demographics about customers (grocery stores by example, the only way to not get tracked it to pay by cash. You don't need one of their store cards because they'll match your banking account numbers and STILL build a profile) and then sells them. How many useful websites on the internet are driven by 1. Selling demographics, 2.) Ad revenue. Making cookies opt-in kills both of those things. How much is/. charging you guys? Ask them what'll happen to their ad revenue if cookies are suddenly opt-in. Yeah, they can still technically serve the ads, but they will no longer be as accurate to the viewer, nor will they be tracked as well... meaning less profitable for the ad agency and the publisher.

2. Affiliate marketing... There are a lot of other sites with good information (a book review site comes to mind) that I enjoy. They all keep the site running by giving affiliate links to the products, say to a book on amazon. Kill that for them, and you kill their revenue.

So, would you propose that the people running these sites force the customer to consent before they allow them to use their services?? No, that won't work because they can only make them accept to their cookie, not the one downstream they actually get paid on. People have been so scared from cookie FUD that they will deny %90 of the time, and STILL kill many sites because their revenue has dried up.

I think this law, if they have to make one, should be more specific and say what you CAN'T use cookies for.

AND btw, affiliate links would be fine if we could JUST identify the computer, we do not need to identify the individual.

Yes, grocery stores can match bank accounts and stuff. Reason why I pay cash and object vehemently to the "trend" where the combined stores are waging a vendetta against cash and are already trying to require use of electronic and therefore trackable means. All in the name of "safety" of course. Bunch of underhanded jackassholes.

Thing is, there exist alternatives for cookies, too. Only, you'll need access to the webserver to get the logs and that makes it much harder for third parties to gather the data. Th

BTW, we give discounts to customers using affiliate links. We WANT our affiliates to be profitable, if they aren't, we aren't. So we prefer that a customer goes through an affiliate. No cookie? No discount.

I guess you'd prefer we stored it all in the query string and pass it from page to page? Guess what,that's where we're headed. That, or every link becomes a POST.

The affiliate part can be argued to be necessary for user experience, and as such exempted. The cookie is a necessity to carry on the information that the user is expecting you to carry on in his/her behalf to/from affiliate sites.

E.g. I read a book review on your site, you say "it's available on Amazon, to order click here", then when clicking said link I would not expect any less than to go to Amazon to the page where that book can be ordered. And to get that promised affiliates discount Amazon has to know where I come from.

Lack of cookies does NOT prevent ads. Lack of cookies does not prevent ads from being linked to an alternate site. Lack of cookies does not prevent your userid from being included in the URL that takes you to the other site if you click on the cookie. Lack of cookies does not prevent your userid from being included in the URL that fetches the ad image from the other site. So ads are not really hindered. What is hindered is weak minded developers that only learned one way to do things.

Yes, I know there are other ways to store the data...1. Every link becomes a javascript POST.2. All data moved between pages via querystring.3. Require a login to use the site so the data can be stored server-side.4. FLASH COOKIES;)

and don't forget to add the various advertisers into your hosts file since it'll speed up page loads. To many advertisers get overloaded, slowing down page loads plus I have no desire to waste bandwidth connecting to them in the first place.

But just for the record - based on advertising rates, TV and print advertising is (apparently) much more valuable than web advertising. And yet, they don't do per-user tracking at all. It would seem to me that getting rid of per-user tracking would make it more valuable, not less.

Why would you assume something so obviously wrong? As is so often quoted here, in advertising viewers are the product being sold. The payment comes from the advertiser.

I assume this is tounge in cheek and I don't have to go into the problems with the premise?

Yes, it is tongue-in-cheek, but it *does* have a subtle point behind it - either web advertising is undervalued, or print/TV advertising is overvalued. If print/TV advertising is overvalued, don't you think someone might have noticed by now? That leaves... web advertising being undervalued, which leads you to ask "why"? It's pretty o

Except you can already block all that with your web browser, if you don't like it.

Why put undue burden on site owners when cookie blocking features *already exist* in every browser out there? That's why this law is retarded-- not because of the intention (which I also kind of agree with, to an extent).

If the EU is really concerned, they could pass a law against third-party cookies. This would remove most of their concern, without unduely affecting site owners. (Most, if not all, ad networks and analytics pa

You know the funny thing about companies that collect and sell my personal data?

Their prices are higher than companies who do not.

Krogers and Randalls both do this.

HEB & Foodtown don't.

Yet the same product at randalls and krogers *with the affinity card discount* is more expensive than the same product at HEB and foodtown. Sometimes dramatically so (25% or more- example, whipcream $5.29 with discount card vs $3.99 every day without card).

2. Affiliate marketing... There are a lot of other sites with good information (a book review site comes to mind) that I enjoy. They all keep the site running by giving affiliate links to the products, say to a book on amazon. Kill that for them, and you kill their revenue.

Maybe you can explain why you think cookies is the only way to do this.

So, would you propose that the people running these sites force the customer to consent before they allow them to use their services?? No, that won't work because they can only make them accept to their cookie, not the one downstream they actually get paid on. People have been so scared from cookie FUD that they will deny %90 of the time, and STILL kill many sites because their revenue has dried up.

Maybe you can explain why the downstream site needs a cookie to accomplish affiliate marketing when other means, such as embedding a code in the URL, are available.

I think this law, if they have to make one, should be more specific and say what you CAN'T use cookies for.

Why? So you can make up new ways to abuse cookies?

AND btw, affiliate links would be fine if we could JUST identify the computer, we do not need to identify the individual.

That can actually be dangerous. The next person to come along might link to the same site, and they figure it must be the same person, and re-use their identifying info that first person voluntarily provided. I don't see how

Polls.On sites with thousands of clicks per second.The cookie is fast and dirty method of determining whether given user has already voted in the poll or not.To keep the results honest, the site keeps a database of IP numbers and ignores repeated votes of bots that ignore cookies or users who delete them, but for 99.9% of visitors the cookie is a perfectly adequate method and allows zero server-side intervention to distinguish between the content to be displayed (questions/results) and preliminary allowing

Ultimately, the server side has to always double check this against the user record of polls voted. The convenience is in preventing it from making a server request in the first place. That would be the Javascript code blocking the vote, or changing the vote box. Or if the whole page is refetched, don't include it dynamically the next time. There's no need to transmit such a cookie.

Now, what else are cookies used for, that consent should not need to be given for?

This is an irrelevant and distracting question, because cookies are always used with consent.

A web server replies, in response to a request initiated by the user, with a header that says, "Here's a little piece of information and I hope you pass this back to me on subsequent requests."

The user's agent -- software chosen by the user to do whatever it is that they're trying to do -- sees this completely advisory information and decides, perhaps even with a confirmation dialog with the user (or not, if the user has decided that they usually want the same behavior every time without getting bothered), to store this information. And then it decides to pass this information with the next request.

The entity the user is communication with, ultimately has no choice about whether or not the user really does this. It's all up to the person who is using the browser. Or, in very old browsers that don't have dialog preferences for cookies, it's all up to the browser's author, to whom the user decided to defer to when they install the software.

Cookies don't do things. Users do things with cookies. Servers reward users for deciding to send the cookie.

If you have chosen to transmit cookies, take responsibility for your decision, instead of crying to the government and demanding that cookies never be offered to you.

When browsers ask the user for the consent upon receipt of each new cookie, then I will believe you. So, should the law have addressed browser makers, to prohibit them from passing cookies to web sites without the consent of the user? Perhaps so.

What browser do you use? IE, Firefox, and Opera all have a very simple user setting that you can turn on. It's off by default, but is really easy to turn on.

The instant you do, you'll be asked every time a site wants to set or use a cookie. With most of them you can even differentiate between first- and third-party cookies (so cookies that originate from the site you are visiting can be tracked differently from cookies that originate from other sites). Once a site has been asked about, most browsers allow you to choose between four functional options (they are presented differently in each browser):

1. Yes, and always allow cookies from this site or domain without asking.2. Yes, just this once.3. No, just this once. Ask me again next time.4. No, and never allow cookies from this site or domain again, and never ask me again.

Actually, you owe it to yourself to turn this feature on, if only for a short time before the popup warnings drive you insane. It's a real eye-opener as to how much cookies are used on the Web today.

Ideally, all browsers would come with this set on in the beginning, with a large prominent button that said "never ask me this again - by pressing this I give my browser permission to gobble down all the delicious delicacies it wants". EU happy, users happy, trackers happy. And for those who really, REALLY care about tracking cookies, well, don't push the button.

You can, could, and still will be able to block cookies in your browser, so whatever web site operators are doing with them, it isn't going to affect your privacy or "trackability".

But, it sounds as if this new law requires the web site operators to show you screen after screen of "permissions" to continue. These permission requests are stupid as EULA dialogs, Vista-like "admin authorisation" dialogs, etc, because they (a) don't offer a meaningful change in values (be it trackability or privacy), and (b) annoy the hell out of users. I won't go into how (c) these crap warnings numb users to real warnings, which they will also mindlessly click through.

You can, could, and still will be able to block cookies in your browser, so whatever web site operators are doing with them, it isn't going to affect your privacy or "trackability".

Unfortunately, that isn't really what happens.

For example, many sites now use local shared objects ("Flash cookies") to store data, rather than regular cookies. No mainstream browser controls these by default, so even if you have disabled all cookies in your browser's privacy settings or asked to clear all your private data, LSOs will still work. Moreover, use of LSOs is often not even mentioned in a site's privacy policy; even big-name sites like YouTube have been offenders in this respect. Moremoreover, the way to disable these little buggers in Flash is hidden in a settings dialog that most users wouldn't even know to exist.

Maybe I'm crazy, but I don't see how failing to disable something that is being used to do something you never asked for, which you don't know is happening, via an obscure dialog you don't know exists, can constitute implied consent, particularly if you've explicitly disabled all similar functionality that is presented in your browser's UI.

Neither, it's basic privacy protection, and as far as I can see it's long overdue and a good thing. Why should we support out-opt monitoring rather than opt-in, just to make life easier for those who want to produce targeted advertising and affiliate blogspam?

If you have a legitimate need to use cookies, for example to help a user with a shopping cart or remember they've logged into your forum, then there will be no problem stating clearly at the point that they start to use these facilities that a cookie will be set for that purpose. If you manage to wade through all the FUD blog posts and find the actual wording [europa.eu] we're talking about here (you'll want article 2, clause 5, on page 76), you'll notice that this does not require UAC-style dialogs or 'screen after screen of "permissions" to continue'. In fact, there is even wording saying that the new rule doesn't apply in cases where the user has explicitly requested a service that needs to store cookie-like information to function properly.

My site has a little skin selection list in the top corner that makes a cookie containing a single word (the name of the user's chosen skin). It is, however, not made clear that a cookie will be written so there is no implied consent. The cookie is processed entirely in javascript, though, and is never sent back to the server. Clearly, it's not a tracking cookie but it is certainly important to the user experience - without it, whenever the user changes page or refreshes the skin will revert to the default.

I use hidden fields on all public facing government websites to track a session, because federal law forbids the use of cookies.

It's a shame that cookies can't be used for legitimate reasons simply because it's open for abuse and FUD gives the public the impression that all cookies are bad. No need to futz around with having to print a hidden field initialized with the session UID (which really isn't that big a deal) when you can just make a session cookie instead.

Every time you visit my web site, a random quote is displayed. Which quote you get is stored in a session cookie, so every page displays the same quote as long as your browser remains open (this was a better idea when I had fewer quotes in my list; I'll probably change it, but that's irrelevant to this discussion). Another cookie tracks which quotes you've already seen, to ensure that if you come back tomorrow (with a new session), you won't get the same quote you just got yesterday.

Why is a legal approach needed, though? A technical solution could achieve it better. By default, reject all cookies. Allow a site to be whitelisted. User whitelists only sites he wants the benefits of cookies from. Maybe also allow "graylist" where cookies from those sites are cleared daily.

By deliberately letting the cookie settings of YOUR BROWSER on "ACCEPT ALL", you ALREADY accept all cookies! That's why it's retarded.The website has nothing to do with that! The BROWSER is the one that has to implement the asking functionality. And those that I know already do exactly that.All we may need, is setting the installation default to "ask". Then most people will set it back, and nothing will change. Which is another reason the law is stupid.

If you are running an Amazon affiliate program you should have no problem telling your users that by clicking on the link to the product you are recommending that you get a portion of the sale. If you can't admit to that, then you aren't being honest with your users.

Likewise with Google Analytics. What's wrong with telling your users that you want to track how they access your site so you can improve it? Oh, there's the little bit about letting Google build up a profile on you. Well maybe someone will come up with an Analytics system that doesn't have a big brother behind the scenes.

Which is exactly what every site will do if this legislation is enacted by member states.

This is the problem out-law identified. If you legislate against a technology, rather than a harm, people will use a different technology to legally commit the same harm. Criminalise the use of cookies and people will use a session identifier in the GET string.

The problem is you need to show the user the text before they can view your website. Just imagine you are using google to search for something and once you click a link, you end up not on the content you expected but on a

"We use cookies to track users in the following ways, blah blah blah. Is this okay with you"

Even if it seemed reasonable, give it a week or two and most would hastily click 'agree' without reading. It would be like UAC in Vista, not the worst idea at the core, but the poorest possible implementation.

"...but they is vital for websites to know how people are accessing the sites so they can work out how to improve the experience for the user."

User experience? WTF? Sorry,but the only reason you need invisible-to-the-user cookies is so you can monetize them without them realizing just how much privacy/anonymity they're giving up. Because that might give users pause before they accept your cookies, if they had an informed choice.

And everybody here knows that. The quoted jackass in TFS is just trying to make his industry look like a victim, to drum up support from civil-liberties sympathizers on Slashdot. Too bad we're not that dumb...

As an employee of the advertising industry, I have zero problems with monetizing Internet traffic, or with using cookies to track user behavior, etc., etc. But I hate liars, and I hate people who try to manipulate me.

As an employee of an advertising company, your usage knowledge is biased in that direction. As a long-time web designer who does not try to monetize most of my offerings, I use tracking cookies to simplify site design and to understand how users navigate and help them save preferences on those sites without asking them stupid questions like Windows Vista.

You do not make websites better by guessing what the user wants. Your own slashdot website probably has someone who looks at what people do, looks at how many people comment and generally advises on which are the most popular links. This helps them work out which stories are interesting to you and not a load of garbage. It also helps them work out what tags submissions should be grouped together based on the likelihood of users to read certain typ

The approach is completely backwards. They're hampering all uses of a given technology, when what they want to control is bad behavior. It's like banning/limiting hammers because a fair amount of people tend to buy hammers and then hit people over the head with them.

The legitimate hammer users get hampered. The head bashers buy mallets.

The correct solution to the absurd hammer example here is to make hitting people over the head illegal.

The correct approach to information collection abuse would be to make c

... is to an old slashdot story which even says the initial write up is wrong and it has a link to a yahoo story which no longer exists. Come on guys , I know this is slashdot but try a little feckin harder for gods sake.

Since we're talking statistics, the largest problem is understanding. Most people don't. Maybe that's why people prefer to use external tracking services instead of using the information already on their own website: The access logs. Otherwise I really don't see why you'd use them. No, it won't get everything, but it _will_ give you general trends. And with a large enough sample those trends will be obvious enough.

Plus, all this focus on ``user experience'' gave us dancing rodents and several big fat stacks of proprietary, closed, and platform-dependent stupidity of the likes of flash. The most prevalent user experience therefore has to be ``confused boredom''. And in a score or two years, bitrot has ensured all that crap stays lost forever. That's a definite boon, but not good for general archiving, and therefore a problem.

My core concern with websites is what content they have to offer, and if I can't find it, I'm gone. Flash? bye-bye. Confusing layout? Two more clicks and I'm gone again. A sitemap? Click on it and search for a couple keywords. Nothing? Ciao! And so on, and so forth.

``User experience'' is overrated. Focus on the message; write it for me and not at me, make it easy to find, easy to flip through, easy to search, easily available. And for that, you really don't need cookies, and you especially don't need and therefore shall not require javascript, java, or some other proprietary plugin.

If you want to track your users, all you need is a small shell script to connect requests, referrers, and timestamps together and you'll have more info than you could possibly need already.

If you don't understand why third party tracking is used, then you don't understand running a website with any appreciable advertising revenue. We don't use third party tracking to fix our web servers or for internal trending, we use those numbers to sell ad space. Advertisers are not going to believe you when you say that you get X amount of hits based on your web logs.

User experience can also be tracked in that way, of course, and certainly if the third party tools are well built, our user experience groups can use that data, but that is not why we spend the money on third party tracking.

Third-party tracking doesn't require cookies. You're either misinformed, unimaginative, lazy, or some combination of those three. No cookie for YOU!

Okay - that was harsh. Look, you've been misinformed about how you "need" cookies to track stuff. You don't - but programmers are just as much a bunch of lazy shits when we're not scratching our own itches as anyone else.

There's enough blame to go around for everyone, and this article is just more FUD and people looking for page hits so they can make a f

Indeed, this isn't the '90s anymore. We have technology that allows us to better target advertising and better track our business. Why legislate ourselves back to the days of broadcast advertising and a stateless web? And to those who say to use log files for analytics, you have to be kidding me. You obviously don't run a website.

Here's what's coming. The now-finalised text says that a cookie can be stored on a user's computer, or accessed from that computer, only if the user "has given his or her consent, having been provided with clear and comprehensive information".

An exception exists where the cookie is "strictly necessary" for the provision of a service "explicitly requested" by the user – so cookies can take a user from a product page to a checkout without the need for consent. Other cookies will require prior consent, though.

~The Out Law Blog

So- some websites will have an EULA page. Big deal. Actually, that's not at all a bad idea now is it? So why all the hoopla?

The site may have an EULA, but you still can't present cookies to the user until he has had a chance to read it and decide to either agree to the terms or go elsewhere. At the moment, you get a cookie when you first visit the site before you get a chance to read anything.

The now-finalised text says that a cookie can be stored on a user's computer, or accessed from that computer, only if the user "has given his or her consent, having been provided with clear and comprehensive information".

The web server says "hey, here's a cookie you can store for me, if you like, and send it back later to assist me. Do with it as you please." The user's browser either ignores it, or later sends a copy. If this isn't consent, I don't know what the hell is. So the HTTP protocol itself alread

Couldn't browsers be made "EU-compatible" and give users a settings checkbox that says (more or less) "I either don't care about cookies or I'm perfectly comfortable dealing with them on my own (either with plugins like CookieCuller or manually.) Bring 'em on!"? Or doesn't the new law allow that?

Couldn't browsers be made "EU-compatible" and give users a settings checkbox that says (more or less) "I either don't care about cookies or I'm perfectly comfortable dealing with them on my own (either with plugins like CookieCuller or manually.) Bring 'em on!"? Or doesn't the new law allow that?

If done on a case by case... that is, site by site (site being a domain name or maybe a host name), then sure, I'd go along with this. Just give the user options like:

I consent to return of cookies from and to different hosts within the same domain, for any domain.

I consent to return of cookies from and to different hosts with the same domain, for this domain only.

I consent to return of cookies from and to the same host in any domain.

I consent to return of cookies from and to the same host in this domain

There are in fact still people who refuse to allow cookies, and there are still browsers like lynx that require explicit confirmation from the user before they accept them(In fact, the directive does not ban cookies. It simply mandates the default behavior of lynx.). Ask yourself; what can be accomplished with a cookie that can't be accomplished using alternative mechanisms. Try thinking outside the box you've been in for the last 15 years.

Let us be frank. Cookies have been abused. Horrendously abused. Private companies have tagged, tracked, and stalked billions of people. We have allowed terabytes of data on the lives of everyday people to fall into the hands of completely unscrupulous entities. The information held by even smaller marketing outfits would 20 years ago have seemed like a treasure trove to organizations like the Stazi and the KGB. Does the fact that such information is akin to that desired by secret services mean that the collection and indexing of this information is inherently wrong? No; but it is a big hint that it probably is.

The EU may have blundered here, throwing the baby out with the bathwater. But I think their basic motivations were very admirable. As out lives move more and more onto the net, we cannot accept the current status quo of companies like Google, Yahoo, Microsoft and the rest being allowed to do as they please with data on other people. The Despite the unworkable nature of the law, the EU is moving in the right direction on this.

Ask yourself; what can be accomplished with a cookie that can't be accomplished using alternative mechanisms.

Semi-permanently modifying the page to the user's desires without server-side intervention.

Yes, it can be done server-side, using IP tracking, login and so on. But they require actual CGI to run and generate content, instead of the HTTP layer spitting out "Cache HIT" on page content and static Javascript.

Users hate registration, and IP tracking is useless with dynamic IP (there are ISPs that change it once a hour). But even then, you just have to do server-side work that would be better done client-side simply because servers cost. I've been working with a big IT/Portal/News company that had a big farm of servers that was at 80-90% of its load at all times. If not cookies combined with tons of static content kept client-side in browser caches and in a squid layer protecting the farm, refreshing the content of each page maybe once in 15 minutes vs ~1000 hits/second, we'd have to maintain about 2-3 times as many servers. And that would move us from "quite profitable" to "generating losses".

How do I implement sessions without mangling all the local URLs in the output (which is seriously non-trivial and poses its own problems, also with security and privacy), yet without the use of cookies?

Regulating tools doesn't work. Regulating behaviors does. When governments try to regulate technologies, they usually focus on the tool instead of behavior with asinine results. It would be much easier to simple:

Outlaw the practice of collecting marketing information without the express permission of the person being collected, at the time the data is collected. Make it clear there is no "blanket" opt-in possible under the law.

Make it a civil tort with a big statutory fine (say something around $10,000) to skirt this so lawyers would go after abuse on contingency.

It's not that hard, but we have to help lawmakers better understand the difference between tools and behaviors.

In what way are they being abused? Cookies are not some magical tracking device that can be accessed by anyone and everyone. They are a packet of data that is sent back to the originating domain. They are not cross-domain and can only be accessed by the domain that first created it. In other words a site can only track a customer that passes through their site.

This is no different to your credit card. Recently I went a made a purchase from an Apple store. I was incredibly surprised to recieve an email 5 min

Cookies are often used to store user variables when they go from one page to another - patching holes the stateless web protocol forces on the user experience. Session or server-side variables may also be used for this, but that's more work for the web designer, who usually is up to his neck trying to support different versions of IE misbehavior.

Sites I've worked on have never used cookies to send back personal information, but they have used them to improve the user experience.

Server-side variables are primarily more work for the server, which has to re-run the script instead of informing the content didn't change and can be retrieved from the browser cache (and modified client-side according to the cookie).

This doesn't sound "breathtakingly stupid" to me. It's debatable. Maybe it's "breathtakingly stupid" that it slipped through without notice, but if we are talking about what's right and what's wrong, it can be argued (and often is, I'm sure) that one should expect to have privacy in regards to their browsing habits*. The fact that it negatively impacts businesses should be irrelevant, if we are talking about protections for the individual.

* Yes, you can turn off cookies from the user end, but laws are sometimes there to protect people who don't know any better, and there are a *lot* of them in this case.

There seems to be an assumption that cookies are almost entirely used for evil tracking of website visitors. People have brought up shopping carts and logins, but there are many, many other relatively minor uses for which cookies are useful. Are we to provide you with a disclaimer every time we want to make sure some little setting that you have clicked "sticks" as you jump between pages? Yes, there are other tools to do this job, but cookies are also a specific tool for a specific job.

But then again, having a site "remember you" between sessions is a security risk. I mean ok, who cares if your brother starts trolling people with your slashdot account if he comes over for the weekend... but just the concept. You know, you CAN provide unique service to someone using a login, session ID's and designing your website with the appropriate GET/POST commands. Admittedly it is a LOT more work for the web designer, but far more secure than cookies. However you guarantee that the session "expires" the minute you close the web browser.

Cookies are used to keep track of a user's session, especially when it crosses a load balancer and gets sprayed to any number of identical servers. Without the cookies, there is no way to keep your session on a consistent web server throughout a session. Remember things like "www3.netscape.com"? Cookie-based load balancers are what fixed that situation.

Yes, cookies are abused by advertisers, but quite frankly, I don't give a damn if a site wants to use them to follow me on their site. They DO use them to see which products are popular, what items are considered together - valid data that lets them make business decisions. I know from working with web design firms that they can be used to track flows through a site and tell what parts of navigation are difficult, and if users are missing the "intended" way of using a site.

There are lots of valid technical uses for cookies. I've never understood why they're vilified. It's a tiny chunk of usually random/hash data that's put on your computer by the remote site. Why should you care if they then retrieve it? The only objectionable use is cross-site cookies used by advertisers, and most decent browsers let you disable that class of usage, but not the rest.

Ok, no cookies. Poor me. You're just making it more difficult, but there are ways around it.

1. The malware and other scrupulous sites you hate so much... They wont obey your rules.2. I hope you enjoy long query strings, because everything is going to be passed from page to page.3. If you don't, expect every link to become a javascript POST.4. You'll be required to create an account a lot more often so we can store everything server side and restore to SESSION variables when you return.5. And expect a lot of free content sites to go belly up. No cookie, no revenue.6. What percentage of sites these EU customers visit are hosted outside the jurisdiction?

Why do government people think that passing laws like this can fix a problem that is fundamentally a technology problem? The problem is that when lawmakers focus on tech, they often focus on regulating the tool instead of regulating behavior. So you get situation like this:

Trigger: People are killed with a hammer.Response: Ban Hammers.Unintended consequence: Entire construction industry out of business, everything falls to disrepair, screw industry explodes, scarcity of hammers lead murders to switch to using rolling pins.

In this case, the issue is user privacy. Regulating cookies does little other than break the web which is in many ways cookie dependent for many different dynamic interactions between applications on servers and browsers. So, you break the internet, reduce security, and move advertisers to using something that's not a cookie to tag visitors with (lots of ways to accomplish this).

The reason this has come to the extreme is simple. If a website / web app uses cookies, it should clearly state so in it's disclaimer / privacy policy in such a way that people who visit the site should be able to know exactly what information is being taken from their visit by the website. If this was done upfront and in an honest fashion, this issue simply wouldn't be. As it is, many websites either keep this info in a generic way or just plain omit it. Now I'm not talking about fishing/scam websites, of course. These make the issue even worse. So now, cookies are being managed through legislation.

If you're site is using cookies, no problem - this directive isn't going to affect you. If you're site loads third party cookies then this is what this law is addressing. There are legitimate uses for third party cookies, and your users will have no problem recognising and understanding those uses and probably consenting to the cookie. I'm guessing you're only going to be concerned if you're loading some advertising, affiliate stuff that you'd rather the user didn't know about.
And check your logs - all those none IE visitors can already disable third party cookies easily in the browser preferences. If you're site, or revenue relies on using technology from the 90's then the EU is the least of your problems...

Submitter apparently is counting on/. readers to not follow links but merely form opniions from TFS. This is presented as though it were a list of blogs bashing the new law from all angles... but in reality:

- The first link is to an old/. entry. TFS from that entry has an update acknowledging that the summary write-up is wrong and encouraging readers to RTFA, but its article link is broken.

- The 2nd link is to a blog hostile to the law. Its writing style clearly shows bias. It is light on facts or citations to authoritative references, and heavy on assumptions about how to interpret the law.

- The 3rd link is to another blog disagreeing with the interpretation from the blog in the 2nd link, and saying that the law doesn't really look that bad....and at that point I gave up. This information just isn't important enough to me personally to justify continuing to navigate a dishonest compilation.

Here's an idea for future attempts: how about a link to the damned law?

firstly, its not all cookies, just those that are not directly related to the operation of the site the user went to.

That means this regulation is mostly attacking tracking cookies.

When I went to my favorite site, I never gave anyone called "fastclick" (or whoever)permission to store their stuff on my PC. Nor would I ever give them or anyone else permission to track my surfing habits, yet they are doing it without ever having asked or even informed me. This is a privacy issue.I totally agree with the EU legislation.

Personal data almost always isn't stored on cookies. You give your personal data to a company. They probably don't even link that data up with what you do on the website via cookies. If that company then sells that information on to someone else or uses it for reasons that aren't ethical, that isn't down to cookies. That is down to the company being crap.